Deepen PracticeOrdered learning track

Istio Sidecar Mode: Traffic, Security, and Telemetry

Learn Kubernetes Networking, Gateway API, Service Mesh, and Multi-Cluster Traffic Engineering - Part 021

Deep guide to Istio sidecar mode: sidecar injection, request interception, VirtualService, DestinationRule, Gateway, ServiceEntry, PeerAuthentication, AuthorizationPolicy, RequestAuthentication, telemetry, sidecar scoping, upgrade risk, and production failure modelling.

18 min read3424 words
PrevNext
Lesson 2135 lesson track2029 Deepen Practice
#kubernetes#networking#istio#sidecar+10 more

Part 021 — Istio Sidecar Mode: Traffic, Security, and Telemetry

1. Tujuan Part Ini

Part 020 menjelaskan service mesh sebagai distributed traffic control system. Part ini memperdalam mode Istio yang paling klasik dan paling banyak ditemui di produksi: sidecar mode.

Target part ini:

Anda mampu membaca, mendesain, mengaudit, dan men-debug Istio sidecar mode sebagai kombinasi traffic management, workload identity, mTLS, authorization, dan telemetry — bukan sekadar “tambahkan label namespace lalu semua aman”.

Setelah part ini, Anda harus bisa menjawab:

  • Bagaimana Envoy sidecar masuk ke Pod?
  • Bagaimana inbound dan outbound traffic dialihkan ke proxy?
  • Resource Istio mana yang memengaruhi route, cluster, endpoint, TLS, authn, authz, dan telemetry?
  • Apa bedanya VirtualService, DestinationRule, Gateway, ServiceEntry, dan Sidecar?
  • Bagaimana mTLS bekerja pada sidecar mode?
  • Bagaimana policy diterapkan dan mengapa policy bisa terlihat benar tetapi tidak efektif?
  • Bagaimana men-debug 404, 503, TLS handshake failure, 403, stale config, dan sidecar OOM?
  • Kapan sidecar mode adalah pilihan tepat, dan kapan operational cost-nya terlalu tinggi?

2. Kaufman Framing: Mulai dari Traffic Capability, Bukan CRD

Framework Kaufman meminta kita memecah skill menjadi unit kecil yang bisa dilatih dan dikoreksi cepat. Untuk Istio sidecar mode, jangan mulai dari hafalan CRD. Mulai dari pertanyaan operasi:

“Untuk satu request dari service A ke service B, keputusan apa saja yang sekarang diambil oleh proxy, dari mana proxy mendapat keputusan itu, dan bagaimana kita membuktikan keputusan itu benar?”

Deconstruction:

SkillPertanyaan Latihan
InjectionApakah proxy benar-benar ada di Pod dan disiapkan sebelum traffic produksi?
InterceptionApakah outbound/inbound traffic benar-benar melewati sidecar?
RoutingRule mana yang memilih destination subset, weight, timeout, retry, mirror, atau fault injection?
Destination policyApakah mTLS, load balancing, outlier detection, dan connection pool diterapkan ke host yang benar?
IdentityPrincipal apa yang dipakai source dan destination?
AuthNApakah workload menerima plaintext, mTLS, JWT, atau kombinasi?
AuthZApakah policy allow/deny cocok dengan source principal, method, path, port, host, dan namespace?
TelemetryApakah metrics/log/trace merepresentasikan request path yang benar?
DebuggingApakah failure berasal dari aplikasi, Envoy, Istiod, cert, DNS, endpoint, policy, atau route?

Prinsip latihan:

  1. ambil satu request;
  2. prediksi route dan policy yang berlaku;
  3. lihat konfigurasi Envoy aktual;
  4. kirim request;
  5. bandingkan hasil dengan prediksi;
  6. ubah satu variabel;
  7. ulangi sampai mental model stabil.

3. Sidecar Mode dalam Satu Kalimat

Dalam Istio sidecar mode:

Setiap workload Pod mendapatkan Envoy proxy di Pod yang sama; traffic inbound dan outbound dialihkan melalui proxy; Istiod mengirim config, certificate, policy, dan telemetry behavior ke proxy tersebut.

Istio documentation menjelaskan service mesh sebagai split antara data plane dan control plane. Pada sidecar mode, data plane terdiri dari Envoy proxy yang berjalan sebagai sidecar dan memediasi komunikasi antar microservice. Control plane mengelola dan mengonfigurasi proxy untuk routing traffic.

Mental model:


4. Apa yang Sebenarnya Berubah Saat Sidecar Ditambahkan?

Tanpa mesh:

app A -> DNS -> Service VIP -> kube-proxy/CNI -> endpoint Pod B -> app B

Dengan sidecar mode:

app A -> local redirect -> Envoy A -> mTLS/routing/policy -> Envoy B -> local delivery -> app B

Perubahan penting:

AreaTanpa MeshDengan Sidecar Mode
TLSaplikasi/libraryEnvoy sidecar
retryaplikasi/client libraryEnvoy route policy
timeoutaplikasi/client libraryEnvoy route/cluster policy plus app timeout
identityIP, token, app-level identityworkload principal/certificate
authzapp, API gateway, network policyEnvoy policy enforcement plus app
telemetryapp instrumentationproxy telemetry plus app telemetry
traffic splitdeployment/LB/client logicproxy route policy
failure surfaceapp + Kubernetes networkapp + Kubernetes network + proxy + control plane

Top 1% engineer tidak hanya bertanya “apakah Istio aktif?” Mereka bertanya:

“Keputusan mana yang pindah dari kode aplikasi ke proxy, dan siapa yang bertanggung jawab atas correctness keputusan itu?”


5. Sidecar Injection Lifecycle

Istio sidecar bisa ditambahkan secara otomatis melalui namespace/pod label atau secara manual memakai istioctl kube-inject. Pada automatic injection, admission webhook memodifikasi Pod saat dibuat.

Typical namespace enrollment:

kubectl label namespace payments istio-injection=enabled

Atau revision-based enrollment:

kubectl label namespace payments istio.io/rev=1-30-2

Revision-based injection lebih cocok untuk produksi karena memungkinkan canary upgrade control plane/proxy.

5.1 Apa yang Ditambahkan ke Pod?

Biasanya Anda akan melihat:

  • container istio-proxy;
  • init container atau CNI-based traffic redirection setup;
  • volume untuk certificate/config;
  • environment variables;
  • readiness/liveness untuk proxy;
  • annotations berisi status injection;
  • security context tertentu.

Validasi cepat:

kubectl get pod -n payments checkout-abc -o jsonpath='{.spec.containers[*].name}'
kubectl describe pod -n payments checkout-abc | grep -i istio
istioctl proxy-status

5.2 Injection Failure Mode

SymptomKemungkinan PenyebabCara Validasi
Pod tidak punya istio-proxynamespace label salah, webhook down, pod dibuat sebelum labelkubectl get ns --show-labels, kubectl describe pod
Pod stuck initiptables/init permission, CNI issue, image pullkubectl logs -c istio-init, event Pod
Proxy ada tapi tidak readytidak bisa reach Istiod, cert issue, config rejectistioctl proxy-status, proxy logs
Beberapa Pod injected, beberapa tidakmixed namespace labels, rollout lamacompare ReplicaSet generation
Upgrade proxy tidak merataworkload belum restartcheck proxy image/version

Rule praktis:

Label namespace tidak mengubah Pod yang sudah ada. Untuk mendapat sidecar atau proxy revision baru, Pod harus dibuat ulang.


6. Traffic Interception: Kenapa App Tidak Perlu Tahu Envoy?

Sidecar mode bekerja karena traffic dari/ke aplikasi dialihkan secara transparan ke Envoy.

Typical outbound path:

Traffic interception can be implemented through init container iptables programming or Istio CNI. In production clusters with stricter pod security controls, Istio CNI is often preferred because it reduces the need for privileged init container behavior inside application Pod lifecycle.

Key point:

The application still thinks it is connecting to the service.
The kernel redirects the connection to the proxy.
The proxy decides what actually happens next.

This is powerful but dangerous. You can change production traffic behavior without modifying application code. Therefore, route and policy review must be treated like code review.


7. Istio Resource Map: Jangan Campur Semuanya

Istio sidecar mode has a large API surface. The productive mental model is to group resources by decision type.

Decision TypeMain Resources
External ingressGateway, VirtualService
Internal routingVirtualService
Destination behaviorDestinationRule
External dependency modelingServiceEntry
Egress controlServiceEntry, DestinationRule, egress gateway pattern
Proxy config scopingSidecar
Peer authentication / mTLS modePeerAuthentication
Request authentication / JWTRequestAuthentication
AuthorizationAuthorizationPolicy
Telemetry behaviorTelemetry
Low-level extensionEnvoyFilter

Avoid this anti-pattern:

Every team writes arbitrary VirtualService/DestinationRule/EnvoyFilter because “it works”.

Better:

Platform team owns mesh defaults and guardrails.
App team owns explicit route intent inside allowed boundary.
Security team owns identity/authz baseline.
SRE team owns runtime SLO and failure playbooks.

8. VirtualService: Route Intent

VirtualService describes traffic routing rules. It can match by host, path, header, method, port, URI, and other attributes depending on protocol.

Common use cases:

  • route by URI prefix;
  • route by header;
  • traffic split between versions;
  • timeout;
  • retry;
  • fault injection;
  • mirroring;
  • rewrite;
  • redirect.

Example: weighted internal canary.

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: checkout
  namespace: payments
spec:
  hosts:
    - checkout.payments.svc.cluster.local
  http:
    - route:
        - destination:
            host: checkout.payments.svc.cluster.local
            subset: stable
          weight: 90
        - destination:
            host: checkout.payments.svc.cluster.local
            subset: canary
          weight: 10
      timeout: 2s
      retries:
        attempts: 2
        perTryTimeout: 500ms
        retryOn: connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes

Mental model:

VirtualService chooses where a request should go and what HTTP-level behavior applies.
DestinationRule defines what the destination subsets mean and how connections to that destination behave.

9. DestinationRule: Destination Behavior

DestinationRule applies policies after routing has selected a destination host. It commonly defines:

  • subsets;
  • load balancing policy;
  • connection pool;
  • outlier detection;
  • TLS mode;
  • locality load balancing;
  • port-level settings.

Example:

apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: checkout
  namespace: payments
spec:
  host: checkout.payments.svc.cluster.local
  trafficPolicy:
    loadBalancer:
      simple: LEAST_REQUEST
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        http1MaxPendingRequests: 1000
        maxRequestsPerConnection: 100
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 10s
      baseEjectionTime: 30s
  subsets:
    - name: stable
      labels:
        version: stable
    - name: canary
      labels:
        version: canary

Failure mode yang sering terjadi:

ProblemRoot Cause
VirtualService references subset but traffic 503subset tidak didefinisikan atau label tidak cocok
traffic split tidak terjadihost mismatch antara Service name pendek vs FQDN
mTLS gagalDestinationRule TLS mode conflict dengan mesh setting
connection reset saat rolloutconnection pool/drain tidak aligned dengan app termination
canary tidak mendapat trafficroute match precedence salah

10. Gateway vs Kubernetes Gateway API

Istio memiliki resource Gateway sendiri dari awal. Gateway API Kubernetes adalah API berbeda dengan group gateway.networking.k8s.io.

AreaIstio GatewayKubernetes Gateway API
API groupnetworking.istio.iogateway.networking.k8s.io
Era desainIstio-nativeKubernetes SIG Network standardization
Route bindingVirtualService.gatewaysparentRefs dari Route ke Gateway/Service
PortabilityIstio-specificlebih portable secara API, tergantung controller conformance
Mesh integrationnative IstioGAMMA / implementation support

Dalam sidecar mode yang sudah lama berjalan, Anda akan sering menemukan Istio Gateway + VirtualService. Pada platform baru, Gateway API biasanya lebih masuk akal sebagai public platform contract, tetapi migration harus hati-hati karena behavior controller-specific tetap bisa berbeda.


11. ServiceEntry: Modeling External Dependencies

ServiceEntry memungkinkan Istio mengetahui external service yang tidak ada sebagai Kubernetes Service biasa.

Use cases:

  • allow-list external host;
  • egress telemetry untuk external dependency;
  • TLS origination;
  • external service failover;
  • modeling VM/bare-metal workload;
  • egress gateway pattern.

Example:

apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: payment-provider
  namespace: payments
spec:
  hosts:
    - api.payment-provider.example
  ports:
    - number: 443
      name: tls
      protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL

Top 1% consideration:

ServiceEntry is not a firewall by itself. It models traffic for the mesh. Real egress control usually needs mesh config, sidecar scoping, NetworkPolicy/CNI policy, DNS discipline, and cloud firewall/NAT controls.


12. Sidecar Resource: Scope the Proxy, Reduce Blast Radius

The Sidecar resource controls the configuration scope for sidecar proxies. Without careful scoping, every proxy may receive configuration for many services it does not need.

Why this matters:

  • large clusters can create huge xDS config;
  • proxy memory grows;
  • Istiod push cost grows;
  • route ambiguity increases;
  • debugging gets harder.

Example boundary:

apiVersion: networking.istio.io/v1
kind: Sidecar
metadata:
  name: payments-default
  namespace: payments
spec:
  egress:
    - hosts:
        - "./*"
        - "shared-observability/*"
        - "istio-system/*"

Interpretation:

  • ./* means services in the same namespace;
  • explicit namespaces can be allowed;
  • everything else is not automatically visible from the proxy config perspective.

Sidecar scoping is not a substitute for authorization. It is a config distribution boundary and operational scaling mechanism.


13. mTLS in Sidecar Mode

Istio sidecar mode can automatically provide mutual TLS between workloads with sidecars. The destination sidecar terminates mTLS and forwards plaintext to the local app unless the app itself also uses TLS.

Conceptual flow:

Important distinction:

TermMeaning
transport encryptiontraffic encrypted on the wire between proxies
workload identitycertificate principal used by proxy on behalf of workload
application TLSapp itself speaks TLS
mesh mTLSproxy-to-proxy mutual TLS
end-to-end TLSencryption from app client to app server, not terminated by mesh proxy

If compliance requires app-level end-to-end encryption, mesh mTLS alone may not satisfy the requirement.


14. PeerAuthentication: What Does the Destination Accept?

PeerAuthentication controls what kind of peer authentication/mTLS mode destination workloads accept.

Common modes:

ModeMeaningProduction Use
PERMISSIVEaccept plaintext and mTLSmigration phase
STRICTrequire mTLSmature mesh baseline
DISABLEdisable mTLSrare, risky, compatibility only
UNSETinherit parent/defaultuseful for hierarchy

Example namespace strict mTLS:

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: payments
spec:
  mtls:
    mode: STRICT

Failure modes:

SymptomLikely Root Cause
plaintext client fails after strict mTLSsource not in mesh or no sidecar
intermittent TLS failuresome pods injected, some not
policy appears applied but no effectnamespace/workload selector mismatch
legacy service breaksmigration skipped permissive observation period

15. RequestAuthentication: JWT Verification

RequestAuthentication tells Istio how to validate JWT tokens. It verifies tokens but does not, by itself, authorize business access. Authorization is typically expressed with AuthorizationPolicy.

Example:

apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
  name: checkout-jwt
  namespace: payments
spec:
  selector:
    matchLabels:
      app: checkout
  jwtRules:
    - issuer: "https://issuer.example"
      jwksUri: "https://issuer.example/.well-known/jwks.json"

Pair it with authorization:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: checkout-require-jwt
  namespace: payments
spec:
  selector:
    matchLabels:
      app: checkout
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["*"]

Mental model:

RequestAuthentication proves token validity.
AuthorizationPolicy decides whether the request is allowed.

16. AuthorizationPolicy: Allow/Deny with Workload Identity

AuthorizationPolicy can allow or deny based on attributes such as source principal, namespace, IP, request principal, method, path, host, and port.

Example: allow only checkout service account to call payment API.

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: payment-api-allow-checkout
  namespace: payments
spec:
  selector:
    matchLabels:
      app: payment-api
  action: ALLOW
  rules:
    - from:
        - source:
            principals:
              - cluster.local/ns/payments/sa/checkout
      to:
        - operation:
            methods: ["POST"]
            paths: ["/payments/*"]

Critical invariant:

Authorization enforced by the destination proxy is only as strong as the traffic path guarantee that traffic reaches that proxy.

Therefore validate:

  • destination Pod has sidecar;
  • traffic is captured;
  • mTLS identity exists;
  • policy selector matches the destination workload;
  • request protocol is correctly detected as HTTP if matching path/method;
  • policy is not shadowed by broader allow/deny behavior.

17. DENY, ALLOW, and Dry-Run Discipline

A safe production policy rollout usually follows this sequence:

  1. observe traffic with telemetry;
  2. define intended callers;
  3. create dry-run policy if supported for the scenario;
  4. test in staging with representative traffic;
  5. apply namespace-level default deny carefully;
  6. apply explicit allow rules;
  7. verify metrics/logs;
  8. run rollback plan.

Dangerous pattern:

# Looks secure, but can break everything if callers are not fully enumerated.
action: ALLOW
rules:
  - from:
      - source:
          principals:
            - cluster.local/ns/payments/sa/checkout

Better migration posture:

Observe -> report -> dry-run -> partial enforcement -> strict enforcement -> continuous drift detection

18. Telemetry: Proxy Observability Is Not Application Truth

Istio can generate detailed metrics, access logs, and traces from proxy behavior. This is powerful because it does not require every application team to instrument basic service-to-service visibility from scratch.

Telemetry dimensions commonly include:

  • source workload;
  • destination workload;
  • namespace;
  • service;
  • response code;
  • response flags;
  • latency;
  • request protocol;
  • mTLS status;
  • reporter source/destination.

But proxy telemetry has limits:

Proxy SeesProxy May Not Know
HTTP statusbusiness success/failure semantics
transport latencyDB/query/internal app timing
request pathinternal business operation state
mTLS identityuser identity unless propagated/verified
upstream resetexact application exception

Use proxy telemetry to answer:

Who called whom, through which path, with what transport result?

Use application telemetry to answer:

What business operation happened, and why did application logic succeed or fail?

19. Telemetry API Example

Example: enable access logging for namespace.

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: payments-access-logs
  namespace: payments
spec:
  accessLogging:
    - providers:
        - name: envoy

Example tracing sampling should be used carefully:

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: payments-tracing
  namespace: payments
spec:
  tracing:
    - providers:
        - name: otel
      randomSamplingPercentage: 5.0

Production warning:

More telemetry is not automatically better. High-cardinality labels and verbose access logs can become a reliability and cost incident.


20. Protocol Detection and Port Naming

Istio behavior depends heavily on protocol awareness. If Istio cannot infer that traffic is HTTP/gRPC, L7 features like path-based authz, route matching, retries, and metrics may not behave as expected.

Good Service port naming:

ports:
  - name: http-api
    port: 8080
    targetPort: 8080

Bad or ambiguous:

ports:
  - name: web
    port: 8080

Failure mode:

SymptomPossible Cause
path-based AuthorizationPolicy not appliedport treated as TCP
HTTP metrics missingprotocol detection failed
gRPC behaves like opaque TCPwrong port naming or ALPN issue
route match ignoredrequest is not seen as HTTP by Envoy

21. Timeouts, Retries, and the Retry Storm Trap

Istio makes it easy to configure retries. That is not the same as making retries safe.

Retry budget mental model:

total downstream request budget >= application work + upstream timeout + retry attempts + queueing + network variance

Bad pattern:

retries:
  attempts: 5
  perTryTimeout: 2s

If the caller has a 3s timeout, this config is logically inconsistent. It may cause wasted work and cascading load.

Better reasoning:

ParameterQuestion
caller timeoutHow long can user/business workflow wait?
per-try timeoutHow long before one upstream attempt is considered failed?
attemptsHow many attempts fit the caller budget?
retryOnWhich failures are safe to retry?
idempotencyIs the operation safe to replay?
circuit breakerWhat prevents amplification during outage?

Never configure retries on non-idempotent writes unless you have a clear idempotency key or deduplication contract.


22. Debugging Workflow: From Symptom to Proxy Config

Use a hypothesis-driven path. Do not randomly edit YAML.

22.1 Check Mesh Enrollment

kubectl get pod -n payments checkout-abc -o jsonpath='{.spec.containers[*].name}'
istioctl proxy-status
istioctl proxy-status | grep checkout

22.2 Inspect Effective Config

istioctl proxy-config listeners deploy/checkout -n payments
istioctl proxy-config routes deploy/checkout -n payments
istioctl proxy-config clusters deploy/checkout -n payments
istioctl proxy-config endpoints deploy/checkout -n payments
istioctl proxy-config secret deploy/checkout -n payments

22.3 Analyze Istio Objects

istioctl analyze -A
kubectl get virtualservice,destinationrule,peerauthentication,authorizationpolicy -A

22.4 Compare Source and Destination

istioctl proxy-config cluster deploy/checkout -n payments | grep payment-api
istioctl proxy-config listener deploy/payment-api -n payments
kubectl logs deploy/payment-api -c istio-proxy -n payments

22.5 Reason by Error Class

ErrorUsual Layer
404 from Envoyroute/host/path mismatch
503 UFupstream connection failure
503 NRno route
503 UHno healthy upstream
403AuthorizationPolicy/JWT/peer identity
TLS handshake failuremTLS mode/cert/trust domain/DestinationRule
intermittent failuremixed injected/non-injected pods, endpoint churn, locality, stale config

23. Production Failure Modes

Failure ModeWhy It HappensPrevention
Sidecar missingnamespace label drift or rollout historyadmission policy, mesh enrollment dashboard
Mixed proxy versionscanary upgrade incompleterevision-based upgrade plan
Envoy OOMconfig explosion, high concurrency, access log volumeSidecar scoping, resource sizing, telemetry budget
Retry stormunsafe retry policyretry budget, idempotency review, circuit breaker
Route shadowingbroad match before specific matchroute review, tests, istioctl analyze
mTLS strict breaks legacysource lacks proxyphased migration, permissive observation
AuthZ denies valid callerwrong principal or selectorpolicy dry-run, log denied principal
AuthZ allows too muchnamespace wildcard or broad principalsleast privilege review
Telemetry cardinality explosiondynamic path/header labelslabel hygiene
Stale configIstiod/proxy sync issueproxy-status, canary restart, watch Istiod metrics
Egress bypasstraffic not captured or external IP pathNetworkPolicy/CNI/cloud firewall plus mesh egress
EnvoyFilter incidentunsafe low-level patchstrict ownership, tests, avoid unless necessary

24. Architecture Decision: When Sidecar Mode Is a Good Fit

Sidecar mode is usually strong when:

  • you need mature L7 traffic management per workload;
  • app teams run heterogeneous languages/frameworks;
  • mTLS and identity must be standardized;
  • you need fine-grained HTTP/gRPC authorization;
  • you need battle-tested behavior and ecosystem maturity;
  • you can afford per-Pod proxy overhead;
  • platform team can operate Istio as production infrastructure.

Sidecar mode is weak when:

  • workloads are extremely resource constrained;
  • startup latency and Pod density are critical;
  • most traffic only needs L4 encryption/policy;
  • many short-lived jobs make injection overhead painful;
  • app teams cannot tolerate proxy-in-path complexity;
  • mesh ownership is unclear.

Decision invariant:

Adopt sidecar mode only when the value of per-workload L7 control exceeds the operational tax of per-workload proxies.

25. Lab 1 — Trace One Request Through Sidecar Mode

Goal: prove the request path.

Steps:

  1. deploy frontend and backend in injected namespace;
  2. call backend from frontend;
  3. inspect source routes and clusters;
  4. inspect destination listeners;
  5. confirm mTLS secret exists;
  6. enable access logs;
  7. compare source and destination telemetry.

Commands:

kubectl exec -n payments deploy/frontend -c app -- curl -sS http://backend:8080/health
istioctl proxy-config routes deploy/frontend -n payments
istioctl proxy-config clusters deploy/frontend -n payments | grep backend
istioctl proxy-config listeners deploy/backend -n payments
istioctl proxy-config secret deploy/frontend -n payments

Expected learning:

The Kubernetes Service gives identity/rendezvous.
Envoy applies route/policy/telemetry.
Istiod provides the config that makes Envoy behavior possible.

26. Lab 2 — Break mTLS Intentionally

Goal: distinguish mTLS failure from route failure.

Steps:

  1. set namespace PeerAuthentication to STRICT;
  2. call destination from injected source;
  3. call destination from non-injected source;
  4. inspect Envoy logs and response code;
  5. return to safe state.

Expected result:

  • injected source works;
  • non-injected source fails;
  • failure is transport/authentication, not HTTP route.

27. Lab 3 — Break Authorization Intentionally

Goal: learn principal-based allow list.

Steps:

  1. create AuthorizationPolicy allowing only checkout service account;
  2. call from checkout;
  3. call from debug pod;
  4. inspect denied source principal;
  5. fix policy.

Key question:

Did we deny by workload identity, namespace, path, method, or accidental protocol mismatch?

28. Lab 4 — Validate Canary Route

Goal: prove VirtualService + DestinationRule behavior.

Steps:

  1. deploy backend with version: stable and version: canary;
  2. define subsets;
  3. configure 90/10 split;
  4. generate 1000 requests;
  5. observe distribution;
  6. change to 50/50;
  7. rollback.

Watch for:

  • sticky sessions;
  • small sample size distortion;
  • subset label mismatch;
  • route host mismatch;
  • telemetry reporter confusion.

29. Top 1% Checklist untuk Istio Sidecar Mode

Sebelum production rollout, pastikan:

  • namespace enrollment jelas;
  • revision-based upgrade strategy ada;
  • proxy resource request/limit disizing;
  • default mTLS posture terdokumentasi;
  • legacy traffic migration plan ada;
  • AuthorizationPolicy punya owner dan review process;
  • protocol naming benar;
  • timeout/retry policy konsisten dengan app SLO;
  • DestinationRule subset label tervalidasi;
  • Sidecar scoping dipertimbangkan untuk cluster besar;
  • EnvoyFilter dibatasi ketat;
  • telemetry cardinality dikontrol;
  • proxy access log tidak membanjiri storage;
  • istioctl analyze masuk CI/CD atau release gate;
  • runbook untuk 403, 404, 503, TLS failure, and proxy OOM tersedia;
  • app teams tahu behavior yang dipindahkan ke mesh.

30. Ringkasan

Istio sidecar mode memberi kontrol L7 yang kuat karena Envoy berada di setiap Pod. Itu memungkinkan mTLS, traffic shaping, authorization, telemetry, retry, timeout, mirroring, dan circuit-breaking tanpa mengubah semua aplikasi.

Tetapi konsekuensinya besar:

Every workload gets a proxy.
Every proxy needs config.
Every config decision can affect production traffic.

Sidecar mode bukan hanya fitur security atau observability. Ia adalah runtime traffic governance layer. Engineer yang kuat tidak hanya bisa menulis VirtualService, tetapi bisa membuktikan bagaimana request benar-benar diproses oleh Envoy, policy mana yang berlaku, cert mana yang dipakai, dan failure mana yang sedang terjadi.

Part berikutnya akan membahas Istio ambient mesh: ztunnel, waypoint, HBONE, split L4/L7, sidecarless trade-off, enrollment, policy migration, dan failure mode baru yang berbeda dari sidecar mode.


31. Referensi

Lesson Recap

You just completed lesson 21 in deepen practice. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.